Skip to content

Hide Navigation Hide TOC

Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202)

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
SnappyTCP - S1163 (5a6fa62e-4ddf-4ae3-974a-f17f24058350) Malware Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Install Digital Certificate - T1608.003 (c071d8c1-3b3a-4f22-9407-ca4e96921069) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set DNS Server - T1584.002 (c2f59d25-87fe-44aa-8f83-e8e59d077bf5) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Digital Certificates - T1588.004 (19401639-28d0-4c3c-adcc-bc2ba22f6421) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern 1
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b) Attack Pattern 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 1
Sea Turtle - G1041 (56a05d27-4d47-418a-b330-781c5614f202) Intrusion Set Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern 1
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
SnappyTCP - S1163 (5a6fa62e-4ddf-4ae3-974a-f17f24058350) Malware Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2
SnappyTCP - S1163 (5a6fa62e-4ddf-4ae3-974a-f17f24058350) Malware Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern SnappyTCP - S1163 (5a6fa62e-4ddf-4ae3-974a-f17f24058350) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern SnappyTCP - S1163 (5a6fa62e-4ddf-4ae3-974a-f17f24058350) Malware 2
SnappyTCP - S1163 (5a6fa62e-4ddf-4ae3-974a-f17f24058350) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Install Digital Certificate - T1608.003 (c071d8c1-3b3a-4f22-9407-ca4e96921069) Attack Pattern 2
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern DNS Server - T1584.002 (c2f59d25-87fe-44aa-8f83-e8e59d077bf5) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern 2
Digital Certificates - T1588.004 (19401639-28d0-4c3c-adcc-bc2ba22f6421) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3